#!/bin/bash
#功能：限制远程ssh登录管理地址配置
#限制原则：/etc/hosts.deny全部禁止，仅放行/etc/hosts.allow

ALLOW_FILE=/etc/hosts.allow
DENY_FILE=/etc/hosts.deny
##################################################################

#SH
SHPATH=`readlink -f $0`
SHDIR=`dirname $SHPATH`
SHNAME="$0"

#DIR
LOG_DIR=$SHDIR/logs/$SHNAME
TMP_DIR=$SHDIR/temp/$SHNAME
mkdir -p $LOG_DIR $TMP_DIR



if [ ! -f $ALLOW_FILE.init.bak ] ;then cp $ALLOW_FILE  $ALLOW_FILE.init.bak;fi
if [ ! -f $DENY_FILE.init.bak  ] ;then cp $DENY_FILE   $DENY_FILE.init.bak;fi

cat  $DENY_FILE|grep -v ^#|grep 'sshd:all' >/dev/null
if [ ! $? -eq 0 ];then echo 'sshd:all' >> $DENY_FILE;fi





while true
do
sed -i '/#TEST-IPSSH/d' $ALLOW_FILE
echo '----------------限制远程ssh登录,当前放行列表----------------'
cat $ALLOW_FILE|grep -Ev "^#|^$" |grep 'sshd:' >/dev/null
if [  $? -eq 0 ];then
cat -n $ALLOW_FILE|sed 's/sshd://g' |awk '{print $0,$1}'|awk '{$1=null;print}'|sed 's/[ ]*//'|grep -Ev "^#|^$"  >$TMP_DIR/now.allow
cat -n $TMP_DIR/now.allow|awk '{$NF=null;print}'
else
echo "！暂未配置放行地址！"
echo "${DENY_FILE}已配置全部限制，请添加放行地址，否则限制所有远程ssh登录！"
fi

echo '
1.添加放行地址
2.删除放行地址
3.查看放行地址
0.退出

语法： <序列>  [地址1,地址2,网段1,网段2]
范例：
添加IP+网段：			1 10.1.1.20,10.2.2.0,10.3.*.*
添加全部：			1 ALL
删除： 				2 行标号-行标号,行标号
删除全部：			2 ALL
查看全部： 			3
查看含10.1的： 			3 10.1
--------（限制原则：全部禁止，仅添加放行。重启系统生效！）--------
'

#
read -p "请输入序列：" KEY
if [ -z "$KEY" ];then continue;fi
KEY1=`echo $KEY|awk '{print $1}'`
KEY2=`echo $KEY|awk '{print $2}'`
KEY_WC=`echo $KEY2|wc -w`
if [ $KEY_WC -ge 2 ];then echo "TIP:地址异常！请遵从语法重新输入！";continue;fi
case $KEY1 in
	1)
	if [ -z "$KEY2" ];then 	echo "TIP:未输入地址！请遵从语法重新输入！";continue;else echo "添加放行地址如下：";echo $KEY2|tr ','  '\n';fi
	read -p "请确认地址是否正确（Y/N）任意键默认Y：" KEY2_KEY
	echo $KEY2_KEY |grep -i 'n' >/dev/null
	if [ $? -eq 0 ];then echo "取消操作。";continue;fi

		for i in `echo $KEY2|tr "," "\n"`
		do
			echo $i |grep '.' >/dev/null 
			if [  $? -eq 0 ];then IP_STAT=YES;fi
			echo $i |grep -i 'all' >/dev/null
			if [  $? -eq 0 ];then ALL_STAT=YES;fi	
			if [[ $IP_STAT == YES || $ALL_STAT == YES  ]];then
				echo "sshd:$i" >> $ALLOW_FILE
				if [ $? -eq 0 ];then  echo "Success,FILE=$ALLOW_FILE 添加操作:"sshd:$i" 成功。";else echo "Error!FILE=$ALLOW_FILE  添加操作:"sshd:$i" 失败！请检测文件权限，或使用root用户重试！";fi
			else	
				echo "Error,${i} 地址异常！跳过添加操作！"
			fi			
		done
	;;

	2)

	if [ -z "$KEY2" ];then echo "TIP:序列不能为空！请遵从语法重新输入！";continue;fi
		KEY2_VAR=`echo $KEY2|tr -d '[0-9]'|tr -d ','|tr -d '-'|sed 's/all//g'|sed 's/ALL//g'|tr -d ' '`
		if [ ! -z "$KEY2_VAR" ];then echo "TIP:无效地址！请遵从语法重新输入！";continue;fi 
		# echo ' --------限制远程ssh登录,当前放行列表--------'
		# cat -n $ALLOW_FILE|sed 's/sshd://g' |awk '{print $0,$1}'|awk '{$1=null;print}'|sed 's/[ ]*//'|grep -Ev "^#|^$"  >$TMP_DIR/now.allow
		# cat -n $TMP_DIR/now.allow|awk '{$NF=null;print}'

		for j in `echo $KEY2|tr "," "\n"`
		do
			echo $j |grep -i 'all' >/dev/null
			if [  $? -eq 0 ];then 
				echo "将删除全部放行端口！"
				read -p "请确认（Y/N）任意键默认Y：" KEY22_KEY
				echo  $KEY22_KEY |grep -i 'n' >/dev/null
				if [ $? -eq 0 ];then 
					echo "取消操作。"
					continue
				else
					ALL_LN=`cat $TMP_DIR/now.allow|awk '{print $NF}'`
					for jj in `echo $ALL_LN` 
					do
						DEL_VAR=`sed -n ${jj}p $TMP_DIR/now.allow|awk '{$NF=null;print}'`
						sed -i "${jj}c #TEST-IPSSH" $ALLOW_FILE						
					done
					cat $ALLOW_FILE|grep -Ev "^#|^$" |grep 'sshd:' >/dev/null
					if [ ! $? -eq 0 ]; then echo "Success,FILE=$ALLOW_FILE 删除操作:清空全部放行 成功。";else echo "Error!FILE=$ALLOW_FILE 删除操作:删除全部放行  失败！请检测文件权限，或使用root用户重试！";fi
				fi
			fi

			
			if [ `echo $j |sed 's/./& /g'|xargs -n1 |grep '-'| wc -l` -eq 1 ];then  
				J_NUM_START=`echo $j |awk -F '-' '{print $1}'`
				J_NUM_END=`echo $j |awk -F '-' '{print $2}'`
				for jj in `seq $J_NUM_START $J_NUM_END`
				do
					NOW_LN=`cat $TMP_DIR/now.allow|wc -l`
					if [ $jj -le $NOW_LN ];then
					DEL_NUM=`sed -n ${jj}p $TMP_DIR/now.allow|awk '{print $NF}'`
					DEL_VAR=`sed -n ${jj}p $TMP_DIR/now.allow|awk '{print $1}'`
					sed -i "${DEL_NUM}c #TEST-IPSSH" $ALLOW_FILE
					if [ $? -eq 0 ]; then echo "Success,FILE=$ALLOW_FILE 删除操作:"$DEL_VAR" 成功。";else echo "Error!FILE=$ALLOW_FILE 删除操作:"$DEL_VAR"  失败！请检测文件权限，或使用root用户重试！";fi
					else
						echo "TIP:不存在行标${JJ}的数据"
					fi
				done
			fi

			J_VAR=`echo $j|tr -d [0-9]|tr -d ' '`

			if [ -z "$J_VAR" ];then 
				NOW_LN=`cat $TMP_DIR/now.allow|wc -l`
				if [ $j -le $NOW_LN ];then
				DEL_NUM=`sed -n ${j}p $TMP_DIR/now.allow|awk '{print $NF}'`
				DEL_VAR=`sed -n ${j}p $TMP_DIR/now.allow|awk '{print $1}'`
				sed -i "${DEL_NUM}c #TEST-IPSSH" $ALLOW_FILE
				if [ $? -eq 0 ]; then echo "Success,FILE=$ALLOW_FILE 删除操作:"$DEL_VAR" 成功。";else echo "Error!FILE=$ALLOW_FILE 删除操作:"$DEL_VAR"  失败！请检测文件权限，或使用root用户重试！";fi
				else
				echo "TIP:不存在行标${JJ}的数据"
				fi
			fi
		done	



	;;

	3)
	if [ -z "$KEY2" ];then 
		# echo ' --------限制远程ssh登录,当前放行列表--------'
		# cat -n $ALLOW_FILE|sed 's/sshd://g' |awk '{print $0,$1}'|awk '{$1=null;print}'|sed 's/[ ]*//'|grep -Ev "^#|^$"  >$TMP_DIR/now.allow
		# cat -n $TMP_DIR/now.allow|awk '{$NF=null;print}'
		continue
	else
		for q in `echo $KEY2|tr ',' '\n'`
		do
			echo "查询包含${q} 结果如下："
			cat -n $ALLOW_FILE|sed 's/sshd://g' |awk '{print $0,$1}'|awk '{$1=null;print}'|sed 's/[ ]*//'|grep -Ev "^#|^$"  >$TMP_DIR/now.allow
			cat  $TMP_DIR/now.allow|awk '{$NF=null;print}'|grep -n "$q"|tr ':' ' '
			echo

		done
	fi
	
	;;

	0)
	exit
	;;	

	*)
	echo "请重新输入！"
	;;	



esac

done

















